SlideShare a Scribd company logo

Thrice Is Nice: Ukraine In Review

Joe Slowik
Joe Slowik

The document summarizes cyber attacks targeting Ukraine's electric grid from 2015-2022. It analyzes three known power sector incidents attributed to the Sandworm threat actor: the 2015 BlackEnergy3-facilitated event, the 2016 Industroyer destructive attempt, and the 2022 suspected Industroyer2 disruption attempt. While the attacks caused outages and disruption, none achieved their planned impacts due to technical issues, rapid response, or in 2022, prevention of the event. The document examines the technical details and implications of each incident.

Related slideshows

User and Entity Behavior Analytics using the Sqrrl Behavior Graph
User and Entity Behavior Analytics using the Sqrrl Behavior GraphUser and Entity Behavior Analytics using the Sqrrl Behavior Graph
User and Entity Behavior Analytics using the Sqrrl Behavior Graph
 
katalon studio 툴을 이용한 GUI 테스트 자동화 가이드
katalon studio 툴을 이용한 GUI 테스트 자동화 가이드katalon studio 툴을 이용한 GUI 테스트 자동화 가이드
katalon studio 툴을 이용한 GUI 테스트 자동화 가이드
 
Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!Recon and Bug Bounties - What a great love story!
Recon and Bug Bounties - What a great love story!
 
1 of 57
2015-2022: Ukraine In Review Joe Slowik Gigamon || Paralus
id jslowik uid=1000(jslowik) gid=1000(jslowik), 05(philosophy), 09(US_Military), 14(US_DOE), 17(Dragos_Inc && Paralus), 20(DomainTools), 21(Gigamon)
First…
Thrice Is Nice: Ukraine In Review
Now, What Makes Up The “Electric System” Or Grid?
Thrice Is Nice: Ukraine In Review
Let’s Review Events
Thrice Is Nice: Ukraine In Review
Lots Of Bad Stuff Only Three KNOWN Power Sector Incidents 2015: BlackEnergy3- Facilitated Event 2016: Industroyer Destructive Attempt 2022: Industroyer2 Disruption (?) Attempt
Thrice Is Nice: Ukraine In Review
Compromise IT Network •Phishing With Malicious Docs •Use Of BlackEnergy3 To Facilitate Operations Enter OT Environment •Credential Harvesting & Replay •OT Asset Access Induce Disruption •"SCADA Hijack" & "Phantom Mouse" •Wiper Deployment •UPS & Serial-To- Ethernet Disruption
Prykarpattyaoblenergo • KillDisk Wiper • Serial-To-Ethernet Attack • Call Center Disruption • UPS Shutdown For Telecom PBX Kyivoblenergo • KillDisk Wiper • Serial-To-Ethernet Attack • Call Center Disruption • UPS Shutdown Chernivtsioblenergo • KillDisk Execution • Serial-To-Ethernet Attack
Post-Disruption Attack Operator Impact & Implications KillDisk Wiper Remove System Monitoring & Control Equipment From Use; Delay & Inhibit Remote Recovery Serial-To-Ethernet Firmware Modification Eliminate Ability To Control Or View Equipment UPS Modification Induce Outages And Loss Of Resiliency, Further Inhibit Recovery Telephone DoS Induce Panic In Customer Base; Inhibit Ability To Scope Outage
• Months Of Preparation • Very "Manual" Attack – Multiple Teams Acting Simultaneously? Execution • Loss & Denial Of Control • Targeting Visibility & Recovery Impact • UA Operators Rapidly Moved To Manual Operations • Disruptive, And Full Recovery Took A LONG Time - But Not As Bad As It Could Have Been! Result
Thrice Is Nice: Ukraine In Review
Compromise Data Historians To Enable Access To Control Network Push CRASHOVERRIDE To SCADA/DCS Devices, Schedule Execution Via Service Execute CRASHOVERRIDE To Open Breakers Wipe SCADA/DCS Devices Via Service Re- Mapping, File Deletion Shut Down Protective Relays Via Denial-Of- Service Attack
Compromise Data Historians To Enable Access To Control Network Push CRASHOVERRIDE To SCADA/DCS Devices, Schedule Execution Via Service Execute CRASHOVERRIDE To Open Breakers Wipe SCADA/DCS Devices Via Service Re- Mapping, File Deletion Shut Down Protective Relays Via Denial-Of- Service Attack INTEDED BUT (M OSTLY) FAILED!
2015 •Target Multiple Distribution Sites •Manual Actions To Cause Service Impact •Target Post-Impact Recovery 2016 •Target Single Transmission Site •Automated Actions To Cause Service Impact •Post-Disruption Action On Protective Relays
2016 Arguably Was Less Impactful Than 2015…
2016 Arguably Was Less Impactful Than 2015… But…
Open Breakers To Interrupt Service Anticipate Rush To Service Restoration Based On 2015 Event Remove Line Protection Via Relay DoS Enable Potential Destructive Impact On Manual Reconnect
Based On Deployed Capabilities And Sequence, 2016 Was Likely An Attempt At A Destructive Event!
However…
Thrice Is Nice: Ukraine In Review
Control System Communications Not Properly Implemented Evidence Of "Rushed Development" In Industroyer Modules Siprotec Relay DoS Not Properly Developed, Deployed
Thrice Is Nice: Ukraine In Review
Target Substations (Nine?) For Disruptive Event Deploy IEC- 104 Protocol- Aware Malware Stage Wiper Malware Across Multiple Systems Execute Coordinated Shutdown And Wiping Operation
Thrice Is Nice: Ukraine In Review
Attack Defeated Before It Could Happen!
Thrice Is Nice: Ukraine In Review
Attack Defeated Before It Could Happen! …but
Thrice Is Nice: Ukraine In Review
Thrice Is Nice: Ukraine In Review
CaddyWiper •Deployed On ICS Workstations •Similar To KillDisk Deployment In 2015, Wiper Element In 2016 ORCSHRED/ SOLOSHRED/ AWFULSHRED •Linux & Solaris- Focused Wipers •Use "shred” Or “dd” Commands, Stops Critical Services •Extends Disruption Across Environment
• Much Larger Scale Than 2016 • Closer To 2015 In Targeting Multiple Sites Simultaneously • Automated Execution & Deployment Like 2016? Scale • Significant Deployment Of Wipers Across Multiple System Types • Catalog Of KNOWN Capabilities Indicates Disruptive-Only Event Impact Scenario • IEC-104 Payload Seems Like It Would Have Worked! • Learning From 2016 Mistakes • Intervention Prevented Impact Scenario Success
So Lots Of Cyber In the Grid – Right?
But When Shit Really Hit The Fan…
Thrice Is Nice: Ukraine In Review
Were The UA Power Attacks Successful?
Thrice Is Nice: Ukraine In Review
Based On Analysis Of Available Data, NONE Of The Targeted Attacks On Ukraine Electric Entities Worked As Planned
2015: Rapid Manual Restoration Resulted In Limited Outage 2016: Various Technical Errors Resulted In Limited Outage, Failed Destructive Event 2022: Rapid Info Sharing And Coordination Enabled Identification And Prevention Of Event
Thrice Is Nice: Ukraine In Review
Thrice Is Nice: Ukraine In Review
Thrice Is Nice: Ukraine In Review
Thrice Is Nice: Ukraine In Review
Sandworm Responsibility For Power Events Can Be Mapped Based On Technical Information & Malware Samples
Thrice Is Nice: Ukraine In Review
Functional Relationships And Code Similarity Enable Us To Connect Various Ukraine-Targeting Events To Same Actor(s)
Thrice Is Nice: Ukraine In Review
Our Visibility Is Limited To Tools (Malware) & Impacts (What Is Reported) Multiple Teams - Operators, Developers, Others - May Be Involved! Links Between Events May Highlight More Complex Relationships Than What Our Visibility Shows!
Thrice Is Nice: Ukraine In Review
Significant Record Of Cyber-Nexus Attacks On Ukraine Electric Sector! But... Track Record Is "Mixed" To Put It Lightly Yet Industroyer2 Shows Even In Active Conflict Cyber Has A Place
Thrice Is Nice: Ukraine In Review
Cyber Events Are VERY Real Ukraine Is Both A Lesson AND An Example For Us All! Operational Resilience And Flexibility Are Critical!
References and Resources • Analysis of the Cyber Attack on the Ukrainian Power Grid – SANS & E-ISAC (https://ics.sans.org/media/E- ISAC_SANS_Ukraine_DUC_5.pdf) • Ukraine Cyber-Induced Power Outage: Analysis and Practical Mitigation Strategies – David E. Whitehead, Kevin Owens, Dennis Gammel, and Jess Smith, Schweitzer Engineering Laboratories (https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6774_UkraineCyber_DEW_20170130_Web7.pdf?v=2019101 4-184954) • CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack – Joe Slowik, Dragos (https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf) • WIN32/INDUSTROYER A New Threat for Industrial Control Systems – Anton Cherepanov, ESET (https://www.welivesecurity.com/wp- content/uploads/2017/06/Win32_Industroyer.pdf) • Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE – Joe Slowik, Dragos (https://www.virusbulletin.com/virusbulletin/2019/03/vb2018-paper-anatomy-attack-detecting-and-defeating-crashoverride/) • Stuxnet to CRASHOVERRIDE to TRISIS: Evaluating the History and Future of Integrity-Based Attacks on Industrial Environments – Joe Slowik, Dragos (https://www.dragos.com/wp-content/uploads/Past-and-Future-of-Integrity-Based-ICS-Attacks.pdf) • Industroyer2: Industroyer Reloaded – ESET Research (https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer- reloaded/) • Industroyer2 IEC-104 Analysis – Erik Hjelmvik, Netresec (https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2- IEC-104-Analysis) • Industroyer2 In Perspective – Joe Slowik, Stranded On Pylos (https://pylos.co/2022/04/23/industroyer2-in-perspective/) • GREYENERGY: A Successor to BlackEnergy – Anton Cherepanov, ESET (https://www.welivesecurity.com/wp- content/uploads/2018/10/ESET_GreyEnergy.pdf) • New TeleBots Backdoor: First Evidence Linking Industroyer to NotPetya – Anton Cherepanov & Robert Lipovsky, ESET (https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/) • Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace – US Department of Justice (https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide- deployment-destructive-malware-and)
Questions? Contact Info: joe@paralus.co @jfslowik

More Related Content

Thrice Is Nice: Ukraine In Review

  • 1. 2015-2022: Ukraine In Review Joe Slowik Gigamon || Paralus
  • 5. Now, What Makes Up The “Electric System” Or Grid?
  • 9. Lots Of Bad Stuff Only Three KNOWN Power Sector Incidents 2015: BlackEnergy3- Facilitated Event 2016: Industroyer Destructive Attempt 2022: Industroyer2 Disruption (?) Attempt
  • 11. Compromise IT Network •Phishing With Malicious Docs •Use Of BlackEnergy3 To Facilitate Operations Enter OT Environment •Credential Harvesting & Replay •OT Asset Access Induce Disruption •"SCADA Hijack" & "Phantom Mouse" •Wiper Deployment •UPS & Serial-To- Ethernet Disruption
  • 12. Prykarpattyaoblenergo • KillDisk Wiper • Serial-To-Ethernet Attack • Call Center Disruption • UPS Shutdown For Telecom PBX Kyivoblenergo • KillDisk Wiper • Serial-To-Ethernet Attack • Call Center Disruption • UPS Shutdown Chernivtsioblenergo • KillDisk Execution • Serial-To-Ethernet Attack
  • 13. Post-Disruption Attack Operator Impact & Implications KillDisk Wiper Remove System Monitoring & Control Equipment From Use; Delay & Inhibit Remote Recovery Serial-To-Ethernet Firmware Modification Eliminate Ability To Control Or View Equipment UPS Modification Induce Outages And Loss Of Resiliency, Further Inhibit Recovery Telephone DoS Induce Panic In Customer Base; Inhibit Ability To Scope Outage
  • 14. • Months Of Preparation • Very "Manual" Attack – Multiple Teams Acting Simultaneously? Execution • Loss & Denial Of Control • Targeting Visibility & Recovery Impact • UA Operators Rapidly Moved To Manual Operations • Disruptive, And Full Recovery Took A LONG Time - But Not As Bad As It Could Have Been! Result
  • 16. Compromise Data Historians To Enable Access To Control Network Push CRASHOVERRIDE To SCADA/DCS Devices, Schedule Execution Via Service Execute CRASHOVERRIDE To Open Breakers Wipe SCADA/DCS Devices Via Service Re- Mapping, File Deletion Shut Down Protective Relays Via Denial-Of- Service Attack
  • 17. Compromise Data Historians To Enable Access To Control Network Push CRASHOVERRIDE To SCADA/DCS Devices, Schedule Execution Via Service Execute CRASHOVERRIDE To Open Breakers Wipe SCADA/DCS Devices Via Service Re- Mapping, File Deletion Shut Down Protective Relays Via Denial-Of- Service Attack INTEDED BUT (M OSTLY) FAILED!
  • 18. 2015 •Target Multiple Distribution Sites •Manual Actions To Cause Service Impact •Target Post-Impact Recovery 2016 •Target Single Transmission Site •Automated Actions To Cause Service Impact •Post-Disruption Action On Protective Relays
  • 19. 2016 Arguably Was Less Impactful Than 2015…
  • 20. 2016 Arguably Was Less Impactful Than 2015… But…
  • 21. Open Breakers To Interrupt Service Anticipate Rush To Service Restoration Based On 2015 Event Remove Line Protection Via Relay DoS Enable Potential Destructive Impact On Manual Reconnect
  • 22. Based On Deployed Capabilities And Sequence, 2016 Was Likely An Attempt At A Destructive Event!
  • 25. Control System Communications Not Properly Implemented Evidence Of "Rushed Development" In Industroyer Modules Siprotec Relay DoS Not Properly Developed, Deployed
  • 27. Target Substations (Nine?) For Disruptive Event Deploy IEC- 104 Protocol- Aware Malware Stage Wiper Malware Across Multiple Systems Execute Coordinated Shutdown And Wiping Operation
  • 29. Attack Defeated Before It Could Happen!
  • 31. Attack Defeated Before It Could Happen! …but
  • 34. CaddyWiper •Deployed On ICS Workstations •Similar To KillDisk Deployment In 2015, Wiper Element In 2016 ORCSHRED/ SOLOSHRED/ AWFULSHRED •Linux & Solaris- Focused Wipers •Use "shred” Or “dd” Commands, Stops Critical Services •Extends Disruption Across Environment
  • 35. • Much Larger Scale Than 2016 • Closer To 2015 In Targeting Multiple Sites Simultaneously • Automated Execution & Deployment Like 2016? Scale • Significant Deployment Of Wipers Across Multiple System Types • Catalog Of KNOWN Capabilities Indicates Disruptive-Only Event Impact Scenario • IEC-104 Payload Seems Like It Would Have Worked! • Learning From 2016 Mistakes • Intervention Prevented Impact Scenario Success
  • 36. So Lots Of Cyber In the Grid – Right?
  • 37. But When Shit Really Hit The Fan…
  • 39. Were The UA Power Attacks Successful?
  • 41. Based On Analysis Of Available Data, NONE Of The Targeted Attacks On Ukraine Electric Entities Worked As Planned
  • 42. 2015: Rapid Manual Restoration Resulted In Limited Outage 2016: Various Technical Errors Resulted In Limited Outage, Failed Destructive Event 2022: Rapid Info Sharing And Coordination Enabled Identification And Prevention Of Event
  • 47. Sandworm Responsibility For Power Events Can Be Mapped Based On Technical Information & Malware Samples
  • 49. Functional Relationships And Code Similarity Enable Us To Connect Various Ukraine-Targeting Events To Same Actor(s)
  • 51. Our Visibility Is Limited To Tools (Malware) & Impacts (What Is Reported) Multiple Teams - Operators, Developers, Others - May Be Involved! Links Between Events May Highlight More Complex Relationships Than What Our Visibility Shows!
  • 53. Significant Record Of Cyber-Nexus Attacks On Ukraine Electric Sector! But... Track Record Is "Mixed" To Put It Lightly Yet Industroyer2 Shows Even In Active Conflict Cyber Has A Place
  • 55. Cyber Events Are VERY Real Ukraine Is Both A Lesson AND An Example For Us All! Operational Resilience And Flexibility Are Critical!
  • 56. References and Resources • Analysis of the Cyber Attack on the Ukrainian Power Grid – SANS & E-ISAC (https://ics.sans.org/media/E- ISAC_SANS_Ukraine_DUC_5.pdf) • Ukraine Cyber-Induced Power Outage: Analysis and Practical Mitigation Strategies – David E. Whitehead, Kevin Owens, Dennis Gammel, and Jess Smith, Schweitzer Engineering Laboratories (https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6774_UkraineCyber_DEW_20170130_Web7.pdf?v=2019101 4-184954) • CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack – Joe Slowik, Dragos (https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf) • WIN32/INDUSTROYER A New Threat for Industrial Control Systems – Anton Cherepanov, ESET (https://www.welivesecurity.com/wp- content/uploads/2017/06/Win32_Industroyer.pdf) • Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE – Joe Slowik, Dragos (https://www.virusbulletin.com/virusbulletin/2019/03/vb2018-paper-anatomy-attack-detecting-and-defeating-crashoverride/) • Stuxnet to CRASHOVERRIDE to TRISIS: Evaluating the History and Future of Integrity-Based Attacks on Industrial Environments – Joe Slowik, Dragos (https://www.dragos.com/wp-content/uploads/Past-and-Future-of-Integrity-Based-ICS-Attacks.pdf) • Industroyer2: Industroyer Reloaded – ESET Research (https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer- reloaded/) • Industroyer2 IEC-104 Analysis – Erik Hjelmvik, Netresec (https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2- IEC-104-Analysis) • Industroyer2 In Perspective – Joe Slowik, Stranded On Pylos (https://pylos.co/2022/04/23/industroyer2-in-perspective/) • GREYENERGY: A Successor to BlackEnergy – Anton Cherepanov, ESET (https://www.welivesecurity.com/wp- content/uploads/2018/10/ESET_GreyEnergy.pdf) • New TeleBots Backdoor: First Evidence Linking Industroyer to NotPetya – Anton Cherepanov & Robert Lipovsky, ESET (https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/) • Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace – US Department of Justice (https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide- deployment-destructive-malware-and)